Activity Log
In this article:
Activity Log#
The Activity Log service allows you to store and explore records about actions made by any company user.
Note
Along with the account, system user is created. All API calls made by system user are logged in the Activity Log.
Access#
By default, access to the Activity Log service is disabled for all users. You can change these policies in the section IAM Users by adding a user to the ActivityLogAdministrators group in any project.
Attention
Users in the ActivityLogAdministrators group can control events in all company projects, regardless of which project they have been added to!
Definitions#
Several types of entities are determined within Activity log: events, trails, reports.
Events#
Event is a record describing a user action. Each event corresponds to one call of an API method. Event are also created for some user actions that are not API calls (see the list below).
The important attribute of event is “Read only”. Read only events include API operations that only read the information about your resources, but don’t make changes. For example, such operations are Describe-requests, which are called every time you open almost any K2 Cloud web-interface page. Usually such events are not so important for user’s activity analysis, thats why on the “Activity log” page of web interface the default value for “Read only” filter is “No”. You can also use attribute ReadOnly for filtering when you request events via CloudTrail API.
To find the list of names of API methods, which are logging in Activity log see:
Furthermore, the Activity Log registers the following operations that are not API calls:
Examples of matching method names to user actions:
API method name |
User action |
|---|---|
ModifyInstanceAttribute |
Changing instance attributes (description, user data, instance type) |
AssociateAddress |
Elastic IP address association with an instance or a network interface |
CreateNetworkAclEntry |
Creating a rule in the Network ACL |
AuthorizeSecurityGroupIngress |
Creating an ingress rule in the security group |
CreateVpnConnection |
Creating a VPN connection |
PutMetricAlarm |
Creating/updating an alarm |
CreateTrail |
Creating a trail |
Attention
Actions, which are initiated within the instance (e.g. stopping the instance), aren’t the API calls. Therefore events are not created for such actions.
Trails#
Trail is a configuration of saving events in the bucket of object storage. Trail instructs cloud to save events, made by every customer’s user into specified bucket. Events are saving each 5 minutes as a tar.gz archive. To create a trail that will save events of all customer’s projects, the user must have permissions to access object storage in the project, where the bucket for archives storing is located. Otherwise the The AWS Access Key Id you provided does not exist in our records error will be displayed.
Reports#
Activity log allows you to get event reports in CSV and JSON formats. Click Create report CSV or Create report JSON in the Events subsection to start the report generation process. You can check the report current state and download it in the Reports subsection.
Important
The maximum number of simultaneously stored reports – 5. After that, new reports will overwrite current
The maximum number of simultaneously generating reports – 2
Reports storage period – 3 days
The “Activity log” section#
Use Activity log for a detailed analysis of the events in your projects and security monitoring of last 30 days. To analyze gathered data you can apply simple filters, use a case sensitive search in the Events subsection or generate reports in CSV or JSON formats. The report generating process the last 30 days data can take some time. To decrease the number of records to download, use a certain filter or time period. You can also aggregate and store the activity logs in the object storage. For the additional information go to Trails.
Use cases#
Here are some examples of a possible use of Activity log:
If you need to find the user who has made some actions on entities, e.g. has stopped instances with DB in one or some projects, choose the filter Action in the Events subsection, enter the case sensitive full name of this action (e.g.
StopInstances) and time period you want to obtain the data for (but not earlier than 30 days) and apply the filter. Now you can see the whole picture and learn the details of each event just by pressing Event details.Imagine that you need to find the user who made some actions on a particular entity, e.g. deleted the production instance i-XXXXXXXX two weeks ago. To do this choose the time period in the Events subsection and click Create CSV report or Create JSON report. The formats CSV or JSON will help to analyze the events in detail, specify the filter conditions (e.g.
TerminateInstancesaction and i-XXXXXXXX as the ID of the particular entity) and obtain the details of the user who performed this action (User name).
Note
Use the specific tools to operate with CSV or JSON files for a detailed analysis of the events of your projects, to track particular changes of entities and security analysis.
Subscription#
Activity Log is a subscription-based service. On expiration or deactivation of the subscription the Activity log section and CloudTrail API become unavailable and trails cease aggregating the events. Events which were saved in object storage remain available.
On the subscription activation API and web interface section become available and trails continue aggregating events.
You can manage subscriptions in Billing section.
CloudTrail limitations#
The following limitations apply to CloudTrail operation:
Value |
Limitation |
|---|---|
Number of trails |
2 |
Time period for which events without trail are stored |
30 days |
If necessary, you can relax constraints. To do this, contact the support service.